The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Mitigations Available for Latest Office Zero Day

by Chris Brook on Wednesday September 8, 2021

Contact Us
Free Demo
Chat

There's no patch yet but Microsoft has released a workaround to mitigate the latest zero day, a vulnerability announced this week in WIndows 10 and Windows Server.

Administrators are encouraged to implement a workaround for a new zero day vulnerability in Microsoft Office that the company claims has been attempted to be exploited in targeted attacks.

In an advisory published on Tuesday, the company provided guidance to mitigate the bug, a remote code execution vulnerability (CVE-2021-40444) in MSHTML, that could be exploited through a rigged Office document. On Windows, Internet Explorer is based on the browser engine MSHTML, similar to how Safari and Chrome are based on WebKit.

While there isn't a patch available yet, organizations could apply a mitigation - ensuring that files are opened in Protected View or Application Guard for Office - or implement a workaround - disabling the installation of all ActiveX controls in Internet Explorer - to prevent exploitation.

To that end, Microsoft acknowledges that user accounts that are configured to have fewer user rights on the system may be less impacted than users who operate with administrative user rights.

According to Microsoft, an attacker could exploit the vulnerability by crafting a malicious ActiveX control that's used by a document that hosts the browser rendering engine. If and when a victim opens the file, the vulnerability could be exploited.

The company says it's still in the middle of investigating the vulnerability and that it may ultimately release a patch for it either during its usual monthly Patch Tuesday updates or an out-of-cycle security update.

While the CVSS 3.0 rating, 8.8, means the vulnerability is worth addressing, the fact that the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency also warned about it this week lends it some credence as well. CISA encouraged users to follow Microsoft’s guidance on Tuesday.

Realistically, as long as your organization has Office set up to open documents in Protected View or Application Guard, something that's largely done by default, the risk should be low. Disabling ActiveX and making the necessary registry changes - Microsoft gets into those further in its advisory - shouldn't be too much of a disruption either.

For those curious, Edge, Microsoft’s latest browser, isn’t affected by the issue; only Windows Server 2008 through 2019 and Windows 8.1 through 10, in which IE are still present, are.

Microsoft didn’t get into how widespread exploitation of the vulnerability, which was discovered by researchers with Mandiant and EXPMON, only that it was aware of attempted exploitation.

Tags: Vulnerabilities

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.